The steps are complex, but a persistent hacker could access personal data.

An old vulnerability in the iPhone's lock screen and Emergency Call feature appears to have resurfaced for a third time in iOS 6.1. With the right sequence of button clicking, it's possible to get to an iPhone user's voicemails, contacts, and photos—even if the iPhone is locked and password protected.

A similar bug first appeared in iOS 2.0. That version of iOS added optional user-selectable actions for double-clicking the Home button, with the default to access a user's contact favorites. By clicking the Emergency Call button on an iPhone's lock screen and then double-clicking the Home button, the Phone app would show the list of your favorite contacts. From there, it was possible to access call logs, voicemails, and any contact; send SMS messages; send or read e-mails; and even launch Safari.

Apple fixed the flaw in iOS 2.1, but it popped up again in iOS 4.1. The sequence of actions was a little more complex, however. It required dialing a random number for an emergency call and then hitting the hardware lock button. Doing so would allow the standard Phone app UI to appear once again, giving a potential hacker access to call logs, voicemails, and contacts.

Now the same basic bug appears to have returned in iOS 6.1. The sequence of steps looks to be more complex, but a potentially malicious user can still gain access to any data accessible from the Phone app. Someone could even look through your photos by attempting to edit a contact and adding a picture to it.

The Verge has details of the latest iteration of this bug, shown in the video below.

iOS 6.1 lockscreen bypass

Apple hasn't made any public notice of the flaw at this time, but it's possible that a fix could come shortly; an iOS update is already in the works to address a potentially serious issue that could lock some iPhone users out of their Exchange accounts due to a calendar syncing bug.

UPDATE: Apple has stated that a fix for this potentially serious bug is coming sooner rather than later. "Apple takes user security very seriously," Apple spokesperson Trudy Muller told AllThingsD Thursday afternoon. "We are aware of this issue, and will deliver a fix in a future software update."

55 Reader Comments

I'm not sure which is more interesting, that a bug has come back 3 times, or that there are people out there who have enough time on their hands they can push one button, swipe twice, push another button 4 times, swipe the other way 6 times, push the same button 3 times, and nothing happens. Then they start all over again except they swipe 5 times.

Hmm, there definitely seems something to be going very wrong with software testing at Apple. Something like that may happen once, but not two or three times. Same with all the calendar and alarm clock bugs. Shit happens, but it shouldn't happen thrice.

I can only get my 4S to go to a black screen, not the phone app, on 6.1.1. I might be doing it wrong, I suppose. You can tell there's something odd going on, as you can see the status bar turn blue after bringing up the power off confirmation and dismissing it.

I can only get my 4S to go to a black screen, not the phone app, on 6.1.1. I might be doing it wrong, I suppose. You can tell there's something odd going on, as you can see the status bar turn blue after bringing up the power off confirmation and dismissing it.

Yes, after a couple attempts I can only get it to lock on a black screen with status bar, sometimes blue, sometimes black. Once it looked like I got the timing almost right, and I could briefly see the Phone app before the lock screen came back. Hard to say if the effects are different on different hardware or not; I only have a Verizon iPhone 5 handy ATM.

"Well one day I needed to make an emergency call with a stranger's phone, but then I accidentally hit standby, and then turned it back on and made the call. But then I remembered that I didn't have to make an emergency call, so I cancelled it.

Then I remembered that I DID need to make an emergency call, but I figured I'd get better reception if I held the power button while pushing 'emergency call'. Why? because it would give the signal more 'power' clearly! Then I got access to all the guy's stuff and it was really interesting. He died because I forgot to make the emergency call."

I think ARS needs to run an article on how/who finds these bugs. Is there some guy living in his mom's basement eating hot pockets and making pseudo-random swipes and button presses until something happens?

Say what you want about Blackberries but this kind of nonsense never happens. I hope this opens the eyes of all these companies that were so happy to switch from one of the most secure phones to this crap. I've had my phones taken away twice by the police and I've never even spent one second worrying about them being able to unlock my phone. Auto-lock after 1 minute, 5 wrong attempts and the whole phone wipes itself. Also good to keep the prying eyes of a girlfriend off your phone.

I know for most consumers this might be such a bad thing but for departments inside the government etc this is huge.

This is an interesting question. You can use the camera to take a picture while the phone is locked, but you can't view the camera roll. Clearly the "emergency call" feature is part of the Phone.app, which I believe runs at all times in the background. So mucking around with emergency calls and all these random button presses apparently works around whatever blocks Apple has out in to avoid exposing the regular UI when the screen is locked. Maybe encrypting this data while the screen is locked is a better solution? I don't know; it's hard to say for sure without knowing all the ins and outs involved, but maybe that's doable.

There is something either systematically wrong with Apple's process (probable) or the private frameworks are as about as fundamentally robust as his Holiness.

Disclosure:I develop for Mac and iDevices.

As a developer, how often does your QA process include "push one button, swipe twice, push another button 4 times, swipe the other way 6 times, push the same button 3 times, and nothing happens. Then they start all over again except they swipe 5 times."?

As a developer, how often does your QA process include "push one button, swipe twice, push another button 4 times, swipe the other way 6 times, push the same button 3 times, and nothing happens. Then they start all over again except they swipe 5 times."?

I'd be interested to know how someone managed to write code that implements that behavior in the first place. But I seriously doubt that's a minimal repro.

I think ARS needs to run an article on how/who finds these bugs. Is there some guy living in his mom's basement eating hot pockets and making pseudo-random swipes and button presses until something happens?

And? That guy deserves a job and not the Q&A guy/girl (I'm not even going to assume plural) at Apple who probably lives in a big house eating steak and lobster for breakfast.

I think ARS needs to run an article on how/who finds these bugs. Is there some guy living in his mom's basement eating hot pockets and making pseudo-random swipes and button presses until something happens?

I'd assume that it's people who have some knowledge of how the iPhone's lock screen and other internals work making educated guesses. The odds of finding something like this via random chance are staggeringly low. Much more likely they figured out that the right series of inputs causes a buffer overflow, or perhaps entering a hidden debug sequence of gestures that was left over from testing causes the right process to crash, or whatever.

Hmm, there definitely seems something to be going very wrong with software testing at Apple. Something like that may happen once, but not two or three times. Same with all the calendar and alarm clock bugs. Shit happens, but it shouldn't happen thrice.

After reading Isacson's biography on Jobs, I'd agree. CEO, logistics and hardware procurement was taken by Cook, aesthetics was passed over to Jony Ive, but no one took software (or functionality) over. It's not Cook or Jony's specialty. Apple's software hasn't been so consistently bad since the (excuseable) early days...For the record, I don't consider this glitch to be a big issue, it's the culmination of stuff-ups that are the issue...

I'd assume that it's people who have some knowledge of how the iPhone's lock screen and other internals work making educated guesses. The odds of finding something like this via random chance are staggeringly low. Much more likely they figured out that the right series of inputs causes a buffer overflow, or perhaps entering a hidden debug sequence of gestures that was left over from testing causes the right process to crash, or whatever.

Also chances are there are folks who do a diff on all the binaries Apple changed each time they release an update and figure out what changed.

Has anyone at ARS been able to replicate this? The forums on The Verge only mention people who have tried and failed, mostly because they are jailbroken.

So, want to try some reporting?

CNet says they've managed to do it.

Indeed. The first report I see of this being replicated.

Just to be clear, I think the video is legit, but all the reports of "black screen" instead of access implies that this is either very difficult to pull off (very precise timing/luck) or it affects a subset of iPhones.

There is something either systematically wrong with Apple's process (probable) or the private frameworks are as about as fundamentally robust as his Holiness.

Disclosure:I develop for Mac and iDevices.

As a developer, how often does your QA process include "push one button, swipe twice, push another button 4 times, swipe the other way 6 times, push the same button 3 times, and nothing happens. Then they start all over again except they swipe 5 times."?

This is an interesting question. You can use the camera to take a picture while the phone is locked, but you can't view the camera roll. Clearly the "emergency call" feature is part of the Phone.app, which I believe runs at all times in the background. So mucking around with emergency calls and all these random button presses apparently works around whatever blocks Apple has out in to avoid exposing the regular UI when the screen is locked. Maybe encrypting this data while the screen is locked is a better solution? I don't know; it's hard to say for sure without knowing all the ins and outs involved, but maybe that's doable.

That would be my question... I know with the camera lock screen on android 4.2x it will only let me see pictures I am currently taking, or have taken since I started the lock screen app, all other pictures are locked until I enter pin. I dunno I think it just makes sense that if you pin protect your device then without the pin no access should be given....

When you write software, always assume any bug you have will be found, regardless of how obscure/"you're holding it the wrong way" it is. When you test/QA, always poke and prod where the developer did NOT specifically tell you to--chances it's something they've overlooked/under-tested/simply assumed that it "worked".

The phrase "a user would never do that" should leave your lexicon the minute you decide to develop code for release to other people.

When you write software, always assume any bug you have will be found, regardless of how obscure/"you're holding it the wrong way" it is. When you test/QA, always poke and prod where the developer did NOT specifically tell you to--chances it's something they've overlooked/under-tested/simply assumed that it "worked".

The phrase "a user would never do that" should leave your lexicon the minute you decide to develop code for release to other people.

Yes, exactly. I don't know how many times I've had things caught (mostly in testing, thank goodness) from users doing unexpected things. You have to remember you, as the developer, are almost irrevocably biased, both as being intimately (I would presume) familiar with the code and the application, and in being (I presume) completely computer literate, which is what most consumers of commercial software are not.

Edit, since I never got to my point before hiting submit, I don't think Apple has enough testers wringing their stuff out; probably due to the hush-hush environment they have going on over there.

There is something either systematically wrong with Apple's process (probable) or the private frameworks are as about as fundamentally robust as his Holiness.

Disclosure:I develop for Mac and iDevices.

As a developer, how often does your QA process include "push one button, swipe twice, push another button 4 times, swipe the other way 6 times, push the same button 3 times, and nothing happens. Then they start all over again except they swipe 5 times."?

Not usually part of QA, but at a module (or system) level, you might use something like a state transition table to go through a very complicated scheme of use cases dependent on multiple preconditions & triggers. Basically, you have a row of "states" your software can be in, and a column of triggers. You go through pretty much all the paths to make sure you can't end up in some weird place, and some default behavior if you do by some quirk. I use these all the time at work doing embedded software.

it's the government man... Apple put a backdoor into the system so the man can keep you down. They will close this one and add 20 more steps and give that out out to the man so he can look at your pictures...

Say what you want about Blackberries but this kind of nonsense never happens. I hope this opens the eyes of all these companies that were so happy to switch from one of the most secure phones to this crap. I've had my phones taken away twice by the police and I've never even spent one second worrying about them being able to unlock my phone. Auto-lock after 1 minute, 5 wrong attempts and the whole phone wipes itself. Also good to keep the prying eyes of a girlfriend off your phone.

I know for most consumers this might be such a bad thing but for departments inside the government etc this is huge.

LOL... LOL... LOL...

I had to turn off Autolock on my Blackberry because it was pocket dialing 911.

Here was the sequence of events that was happening in my pocket:

1) Scroll-ball gets accidentally pressed.2) Brings up three options: "Unlock", "Cancel", and "Emergency Call" (with "Unlock" highlighted as the default)3) Phone moving around in the pocket moves the highlight down to "Emergency Call"4) Another accidental press of the scroll-ball and the phone calls 9115) 911 operator has a conversation with my junk6) 911 operator hangs up, calls me back 10 seconds later "this is 911, is everything OK, we just got a call from your phone"

Say what you want about Blackberries but this kind of nonsense never happens. I hope this opens the eyes of all these companies that were so happy to switch from one of the most secure phones to this crap. I've had my phones taken away twice by the police and I've never even spent one second worrying about them being able to unlock my phone. Auto-lock after 1 minute, 5 wrong attempts and the whole phone wipes itself. Also good to keep the prying eyes of a girlfriend off your phone.

I know for most consumers this might be such a bad thing but for departments inside the government etc this is huge.

LOL... LOL... LOL...

I had to turn off Autolock on my Blackberry because it was pocket dialing 911.

Here was the sequence of events that was happening in my pocket:1) Scroll-ball gets accidentally pressed.2) Brings up three options: "Unlock", "Cancel", and "Emergency Call" (with "Unlock" highlighted as the default)3) Phone moving around in the pocket moves the highlight down to "Emergency Call"4) Another accidental press of the scroll-ball and the phone calls 9115) 911 operator has a conversation with my junk6) 911 operator hangs up, calls me back 10 seconds later "this is 911, is everything OK, we just got a call from your phone"

Happened twice before I just turned off Autolock.

So tell me again how much better Blackberry's Autolock feature is?

Sounds more like an accidental use-case than an actual bug in the software.

... and I had to read the bolded part a couple times to parse it into social acceptability.